forked from microsoft/agent-governance-toolkit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcicdIntegration.ts
More file actions
343 lines (295 loc) · 8.86 KB
/
cicdIntegration.ts
File metadata and controls
343 lines (295 loc) · 8.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
/**
* CI/CD Integration Module
*
* Provides integration with CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins)
* for automated policy validation and deployment.
*/
import * as vscode from 'vscode';
export interface CICDProvider {
id: string;
name: string;
configFile: string;
template: string;
}
export interface ValidationResult {
passed: boolean;
violations: {
file: string;
line: number;
rule: string;
message: string;
severity: 'error' | 'warning';
}[];
summary: {
filesScanned: number;
errorsFound: number;
warningsFound: number;
};
}
export class CICDIntegration {
private readonly providers: CICDProvider[] = [
{
id: 'github-actions',
name: 'GitHub Actions',
configFile: '.github/workflows/agent-os.yml',
template: `name: Agent OS Security Check
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-check:
runs-on: ubuntu-latest
name: Agent OS Policy Validation
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Agent OS
run: pip install agent-os-kernel
- name: Run Policy Validation
run: |
agentos check --format sarif --output results.sarif
continue-on-error: true
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Check for violations
run: |
agentos check --fail-on-violation
`
},
{
id: 'gitlab-ci',
name: 'GitLab CI',
configFile: '.gitlab-ci.yml',
template: `stages:
- security
agent-os-check:
stage: security
image: python:3.11
before_script:
- pip install agent-os-kernel
script:
- agentos check --format json --output agent-os-report.json
- agentos check --fail-on-violation
artifacts:
reports:
codequality: agent-os-report.json
when: always
rules:
- if: \$CI_PIPELINE_SOURCE == "merge_request_event"
- if: \$CI_COMMIT_BRANCH == "main"
`
},
{
id: 'azure-pipelines',
name: 'Azure Pipelines',
configFile: 'azure-pipelines.yml',
template: `trigger:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '3.11'
- script: |
pip install agent-os-kernel
displayName: 'Install Agent OS'
- script: |
agentos check --format sarif --output $(Build.ArtifactStagingDirectory)/agent-os.sarif
displayName: 'Run Agent OS Check'
continueOnError: true
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Build.ArtifactStagingDirectory)'
artifactName: 'SecurityReports'
- script: |
agentos check --fail-on-violation
displayName: 'Validate No Violations'
`
},
{
id: 'jenkins',
name: 'Jenkins',
configFile: 'Jenkinsfile',
template: `pipeline {
agent any
stages {
stage('Setup') {
steps {
sh 'pip install agent-os-kernel'
}
}
stage('Agent OS Security Check') {
steps {
sh 'agentos check --format json --output agent-os-report.json'
archiveArtifacts artifacts: 'agent-os-report.json', allowEmptyArchive: true
}
}
stage('Validate') {
steps {
sh 'agentos check --fail-on-violation'
}
}
}
post {
always {
recordIssues(
tools: [checkStyle(pattern: 'agent-os-report.json')]
)
}
}
}
`
},
{
id: 'circleci',
name: 'CircleCI',
configFile: '.circleci/config.yml',
template: `version: 2.1
jobs:
agent-os-check:
docker:
- image: cimg/python:3.11
steps:
- checkout
- run:
name: Install Agent OS
command: pip install agent-os-kernel
- run:
name: Run Security Check
command: |
agentos check --format junit --output test-results/agent-os.xml
- store_test_results:
path: test-results
- run:
name: Fail on Violations
command: agentos check --fail-on-violation
workflows:
security:
jobs:
- agent-os-check
`
}
];
getProvider(id: string): CICDProvider | undefined {
return this.providers.find(p => p.id === id);
}
getAllProviders(): CICDProvider[] {
return this.providers;
}
async generateConfig(providerId: string): Promise<void> {
const provider = this.getProvider(providerId);
if (!provider) {
vscode.window.showErrorMessage(`Unknown CI/CD provider: ${providerId}`);
return;
}
const workspaceFolder = vscode.workspace.workspaceFolders?.[0];
if (!workspaceFolder) {
vscode.window.showErrorMessage('No workspace folder open');
return;
}
const configUri = vscode.Uri.joinPath(workspaceFolder.uri, provider.configFile);
// Check if file exists
try {
await vscode.workspace.fs.stat(configUri);
const overwrite = await vscode.window.showWarningMessage(
`${provider.configFile} already exists. Overwrite?`,
'Overwrite',
'Cancel'
);
if (overwrite !== 'Overwrite') {
return;
}
} catch {
// File doesn't exist, create directories
const dir = vscode.Uri.joinPath(configUri, '..');
try {
await vscode.workspace.fs.createDirectory(dir);
} catch {
// Directory might already exist
}
}
await vscode.workspace.fs.writeFile(configUri, Buffer.from(provider.template));
const doc = await vscode.workspace.openTextDocument(configUri);
await vscode.window.showTextDocument(doc);
vscode.window.showInformationMessage(
`Created ${provider.name} configuration: ${provider.configFile}`
);
}
async showConfigWizard(): Promise<void> {
const selected = await vscode.window.showQuickPick(
this.providers.map(p => ({
label: p.name,
description: p.configFile,
id: p.id
})),
{
placeHolder: 'Select CI/CD provider'
}
);
if (selected) {
await this.generateConfig(selected.id);
}
}
async validatePreCommit(): Promise<ValidationResult> {
// Run validation on staged files
const result: ValidationResult = {
passed: true,
violations: [],
summary: {
filesScanned: 0,
errorsFound: 0,
warningsFound: 0
}
};
// This would integrate with the policy engine
// For now, return a mock result
return result;
}
async installPreCommitHook(): Promise<void> {
const workspaceFolder = vscode.workspace.workspaceFolders?.[0];
if (!workspaceFolder) {
vscode.window.showErrorMessage('No workspace folder open');
return;
}
const hookScript = `#!/bin/sh
# Agent OS pre-commit hook
# Validates code against security policies before committing
echo "🛡️ Running Agent OS security check..."
# Run Agent OS check on staged files
agentos check --staged --fail-on-violation
if [ $? -ne 0 ]; then
echo ""
echo "❌ Agent OS found policy violations. Commit blocked."
echo "Run 'agentos check --staged' to see details."
exit 1
fi
echo "✅ Agent OS check passed"
exit 0
`;
const hookPath = vscode.Uri.joinPath(workspaceFolder.uri, '.git', 'hooks', 'pre-commit');
try {
await vscode.workspace.fs.writeFile(hookPath, Buffer.from(hookScript));
// Make executable (on Unix-like systems)
const terminal = vscode.window.createTerminal('Agent OS');
terminal.sendText(`chmod +x "${hookPath.fsPath}"`);
terminal.dispose();
vscode.window.showInformationMessage(
'Pre-commit hook installed! Agent OS will check code before each commit.'
);
} catch (error) {
vscode.window.showErrorMessage(`Failed to install pre-commit hook: ${error}`);
}
}
}